The FBI is investigating a Monday cyber attack by anonymous hackers that forced MedStar Health’s 10 hospitals and more than 250 outpatient centers to shut down their computers and email. After the cyber attack was discovered, the provider immediately made the decision to take down all of their systems as a precaution to ensure further security breaches. The Washington, D.C.-based healthcare system employs more than 30,000 people and treats hundreds of thousands of patients in the Washington region. The incident follows similar cyber attacks targeting at least three other medical institutions in recent weeks.
“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” spokeswoman Ann Nickels said in a statement on Monday. “We are working with our IT and cyber-security partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”
On Tuesday, it was reported that MedStar patients were being turned away or treated without access to the patient’s EHR. By Tuesday evening, MedStar staff could read — but not update — thousands of patient records in its central database, a spokeswoman said.
MedStar Cyber Attack Shows Need for HHS to Implement Cybersecurity Law
The chairman of the Senate health committee said the MedStar cyber attack shows the need for the U.S. Department of Health and Human Services (HHS) to implement cybersecurity legislation passed by Congress “with the urgency patients and hospitals deserve.”
“The consequences of cyber attacks like yesterday’s hacking at MedStar Health can be catastrophic for America’s patients—imagine, an attack leaving doctors unable to access crucial information in a patient’s health history or delaying a surgery for hours on end,”Chairman Lamar Alexander (R-Tenn.) today said. “Congress has passed a law to help keep hospitals and patients safe from these malicious attacks – calling for Health and Human Services to give hospitals and doctors clear information on the best ways to prevent a hack in the first place and putting someone at the agency on the flagpole if a cyber attack occurs. Yesterday’s attack, which, unfortunately, is not unique, shows the need for HHS to implement the law with the urgency patients and hospitals deserve.”
The attack on MedStar Health forced the hospital chain, which serves hundreds of thousands of patients, to shut down its email and health records database in an effort to keep the virus from spreading further throughout the organization. Yesterday’s incident follows similar cyber attacks targeting at least three other medical institutions in recent weeks.
Cybersecurity Information Sharing Act of 2015
Last year, the Senate health committee authored a provision, which passed as part of the Cybersecurity Information Sharing Act of 2015, that would help protect the health care industry from cyber attacks by:
– Charging HHS and its subdivisions with naming an official who is responsible for leading the agency’s cybersecurity efforts—to coordinate response and so health organizations will know who is in charge of offering guidance and support;
– Requesting that the agency issue a report on emerging cyber threats in the health care industry, so both the agency and the American public have an accurate picture of the impact of these attacks;
– Creating a task force of health industry leaders and cybersecurity experts to identify the biggest challenges in securing against cyber threats and recommend specific solutions to the agency;
– Charging the task force to create a central resource to distribute cyber intelligence from the federal government to health care organizations in near real time, so they can rapidly respond to active threats; and
– Instructing HHS to create a series of best practices for health industry leaders to follow—on a voluntary basis—to help them keep their organization’s data as secure as possible.